Bulk vulnerability fix - Lockfile fix

[debricked]

Bulk vulnerability fix - Lockfile fix

This pull request will update your transitive dependencies within the allowed version intervals provided by your direct dependencies.

Fixed vulnerabilities:

CVE–2021–3820

• Description

  Incorrect Comparison

  The software compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.

  NVD

  inflect is vulnerable to Inefficient Regular Expression Complexity

  GitHub

  Inefficient Regular Expression in inflect

  inflect is vulnerable to Inefficient Regular Expression Complexity

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      Inefficient Regular Expression in inflect · CVE-2021-3820 · GitHub Advisory Database · GitHub
      NVD - CVE-2021-3820
      Fix CVE-2021-3820 · pksunkara/inflect@a9a0a8e · GitHub
      Inefficient Regular Expression Complexity vulnerability found in inflect
      GitHub - pksunkara/inflect: custom inflections for nodejs
      Comparing pksunkara:HEAD...ready-research:Fix-ReDoS · pksunkara/inflect · GitHub
      Trying to get in touch regarding a security issue · Issue #31 · pksunkara/inflect · GitHub

CVE–2019–10747

• Description

  Uncontrolled Resource Consumption

  The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

  GitHub

  Prototype Pollution in set-value

  Versions of set-value prior to 3.0.1 or 2.0.1 are vulnerable to Prototype Pollution. The set function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.

  Recommendation

  If you are using set-value 3.x, upgrade to version 3.0.1 or later.
  If you are using set-value 2.x, upgrade to version 2.0.1 or later.

  NVD

  set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.

• CVSS details - 9.8

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	High
  Availability	High

• References

      Prototype Pollution in set-value · CVE-2019-10747 · GitHub Advisory Database · GitHub
      NVD - CVE-2019-10747
      MLIST
      [SECURITY] Fedora 30 Update: nodejs-set-value-2.0.1-1.fc30 - package-announce - Fedora Mailing-Lists
      [SECURITY] Fedora 31 Update: nodejs-set-value-2.0.1-1.fc31 - package-announce - Fedora Mailing-Lists
      disallow proto keys · jonschlinkert/set-value@95e9d99 · GitHub
      GitHub - jonschlinkert/set-value: Set nested properties on an object using dot-notation.

CVE–2019–20149

• Description

  Exposure of Resource to Wrong Sphere

  The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

  GitHub

  Validation Bypass in kind-of

  Versions of kind-of 6.x prior to 6.0.3 are vulnerable to a Validation Bypass. A maliciously crafted object can alter the result of the type check, allowing attackers to bypass the type checking validation.

  Recommendation

  Upgrade to versions 6.0.3 or later.

  NVD

  ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	High
  Availability	None

• References

      NVD - CVE-2019-20149
      Validation Bypass in kind-of · CVE-2019-20149 · GitHub Advisory Database · GitHub
      type checking · Issue #30 · jonschlinkert/kind-of · GitHub
      fix type checking vul in ctorName by xiaofen9 · Pull Request #31 · jonschlinkert/kind-of · GitHub

CVE–2019–10746

• Description

  Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

  The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

  GitHub

  Prototype Pollution in mixin-deep

  Versions of mixin-deep prior to 2.0.1 or 1.3.2 are vulnerable to Prototype Pollution. The mixinDeep function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.

  Recommendation

  If you are using mixin-deep 2.x, upgrade to version 2.0.1 or later.
  If you are using mixin-deep 1.x, upgrade to version 1.3.2 or later.

  NVD

  mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

• CVSS details - 9.8

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	High
  Availability	High

• References

      NVD - CVE-2019-10746
      Prototype Pollution in mixin-deep · CVE-2019-10746 · GitHub Advisory Database · GitHub
      [SECURITY] Fedora 30 Update: nodejs-mixin-deep-1.3.2-1.fc30 - package-announce - Fedora Mailing-Lists
      [SECURITY] Fedora 31 Update: nodejs-mixin-deep-1.3.2-1.fc31 - package-announce - Fedora Mailing-Lists
      disallow constructor and prototype keys · jonschlinkert/mixin-deep@8f464c8 · GitHub
      GitHub - jonschlinkert/mixin-deep: Deeply mix the properties of objects into the first object, while also mixing-in child objects.

CVE–2020–7729

• Description

  Insecure Default Initialization of Resource

  The software initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.

  GitHub

  Arbitrary Code Execution in grunt

  The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.

  NVD

  The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.

• CVSS details - 7.1

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	High
  Privileges Required	Low
  User interaction	Required
  Scope	Unchanged
  Confidentiality	High
  Integrity	High
  Availability	High

• References

      [SECURITY] [DLA 2368-1] grunt security update
      NVD - CVE-2020-7729
      Arbitrary Code Execution in grunt · CVE-2020-7729 · GitHub Advisory Database · GitHub
      CONFIRM
      Switch to use safeLoad for loading YML files via file.readYAML. · gruntjs/grunt@e350cea · GitHub
      USN-4595-1: Grunt vulnerability | Ubuntu security notices | Ubuntu
      grunt/file.js at main · gruntjs/grunt · GitHub

CVE–2020–28282

• Description

  NVD

  Prototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.

  GitHub

  Prototype pollution vulnerability in 'getobject'

  Prototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.

• CVSS details - 9.8

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	High
  Availability	High

• References

      NVD - CVE-2020-28282
      Prototype pollution vulnerability in 'getobject' · CVE-2020-28282 · GitHub Advisory Database · GitHub
      node-getobject/getobject.js at aba04a8e1d6180eb39eff09990c3a43886ba8937 · cowboy/node-getobject · GitHub
      CVE-2020-28282 | WhiteSource Vulnerability Database

CVE–2020–7662

• Description

  GitHub

  Regular Expression Denial of Service in websocket-extensions (NPM package)

  Impact

  The ReDoS flaw allows an attacker to exhaust the server's capacity to process
  incoming requests by sending a WebSocket handshake request containing a header
  of the following form:

   Sec-WebSocket-Extensions: a; b="\c\c\c\c\c\c\c\c\c\c ...
  

  That is, a header containing an unclosed string parameter value whose content is
  a repeating two-byte sequence of a backslash and some other character. The
  parser takes exponential time to reject this header as invalid, and this will
  block the processing of any other work on the same thread. Thus if you are
  running a single-threaded server, such a request can render your service
  completely unavailable.

  Patches

  Users should upgrade to version 0.1.4.

  Workarounds

  There are no known work-arounds other than disabling any public-facing
  WebSocket functionality you are operating.

  References

  • https://blog.jcoglan.com/2020/06/02/redos-vulnerability-in-websocket-extensions/

  NVD

  websocket-extensions npm module prior to 0.1.4 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      NVD - CVE-2020-7662
      Regular Expression Denial of Service in websocket-extensions (NPM package) · CVE-2020-7662 · GitHub Advisory Database · GitHub
      ReDoS vulnerability in websocket-extensions – The If Works
      Remove ReDoS vulnerability in the Sec-WebSocket-Extensions header parser · faye/websocket-extensions-node@29496f6 · GitHub
      ReDoS vulnerability in Sec-WebSocket-Extensions parser · Advisory · faye/websocket-extensions-node · GitHub
      Remove ReDoS vulnerability in the Sec-WebSocket-Extensions header parser · faye/websocket-extensions-ruby@aa156a4 · GitHub

CVE–2019–10795

• Description

  Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

  NVD

  undefsafe before 2.0.3 is vulnerable to Prototype Pollution. The 'a' function could be tricked into adding or modifying properties of Object.prototype using a proto payload.

• CVSS details - 6.3

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	Low
  User interaction	None
  Scope	Unchanged
  Confidentiality	Low
  Integrity	Low
  Availability	Low

• References

      NVD - CVE-2019-10795
      fix: prevent changes in prototype chain · remy/undefsafe@f272681 · GitHub

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more at Debricked